BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 259 (Dababneh)
Version: February 9, 2015
Hearing Date: July 14, 2015
Fiscal: Yes
Urgency: No
TH
SUBJECT
Personal Information: Privacy
DESCRIPTION
Existing law requires California agencies that own or license
computerized data that includes personal information to provide
affected individuals with notice of breaches that may have
compromised the security of that data. In addition to
notification, this bill would require an agency, if it was the
source of the breach and if the breach compromised a person's
social security number, driver's license number, or California
identification card number, to provide the person with identity
theft prevention and mitigation services at no cost for at least
12 months.
BACKGROUND
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
�
AB 259 (Dababneh)
Page 2 of ?
Last year, the Legislature passed AB 1710 (Dickinson, Ch. 855,
Stats. 2014) which amended California's data breach notification
law to require a person or business to offer appropriate
identity theft prevention and mitigation services to an affected
person at no cost for not less than 12 months if the person or
business was the source of a data breach. AB 1710 required such
services to be offered only if the breach compromised an
individual's first name or first initial and last name along
with their social security number, driver's license number, or
California identification card number. AB 1710 did not impose a
parallel requirement on state and local agencies that are the
source of a data breach.
This bill would extend to state and local agencies the
requirement to offer identity theft prevention and mitigation
services to individuals affected by a data breach when the
agency is the source of the breach. Like persons and businesses
that are required to offer these services under existing law,
the services must be offered at no cost for at least 12 months,
and only need be provided if the breach compromised a person's
social security number, driver's license number, or California
identification card number.
CHANGES TO EXISTING LAW
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).)
Existing law defines "personal information," for purposes of the
�
AB 259 (Dababneh)
Page 3 of ?
breach notification statute, to include either a user name or
email address, in combination with a password or security
question and answer that would permit access to an online
account, or the individual's first name or first initial and
last name in combination with one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number; driver's license number or
California identification card number; account number, credit or
debit card number, in combination with any required security
code, access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not include
publicly available information that is lawfully made available
to the general public from federal, state, or local government
records. (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and
(i).)
Existing law states that if the person or business providing the
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, shall be provided at no cost to the affected person for
not less than 12 months, along with all information necessary to
take advantage of the offer to any person whose information was
or may have been breached if the breach exposed or may have
exposed an individual's first name or first initial and last
name along with their social security number, driver's license
number, or California identification card number. (Civ. Code
Sec. 1798.82(d).)
This bill would provide that if the agency providing the
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, shall be provided at no cost to the affected person for
not less than 12 months, along with all information necessary to
take advantage of the offer to any person whose information was
or may have been breached if the breach exposed an individual's
first name or first initial and last name along with their
social security number, driver's license number, or California
identification card number.
This bill would make other technical and conforming changes to
existing law.
COMMENT
�
AB 259 (Dababneh)
Page 4 of ?
1.Stated need for the bill
The author writes:
California has two data breach notification laws, one applying
to businesses and the other to public agencies. Existing law
requires any person or business responsible for a breach to
offer identity theft . . . prevention [and] mitigation
services at no cost to the affected parties for no less than
12 months if [social security numbers] or driver license
numbers are compromised. Currently, if a state or local
agency suffered a data breach that included [social security
numbers] or driver's license numbers, consumers would not be
provided identity theft prevention services. A breach
resulting in the release of social security or driver license
numbers can lead to identity theft, forcing consumers to
monitor their personal information for years to come. Whether
a data breach occurs at a state agency or a business, the same
standards should be in place to protect consumers.
AB 259 will require public agencies who suffer a breach to
offer identity theft prevention or mitigation services at no
cost to the affected person for no less than 12 months if
personal information breached includes social security or
driver's license numbers.
2.Right to Privacy and Agency Breaches
California recognizes that the right to privacy is a fundamental
right, and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the
number of consumers, the data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The Attorney General's 2014 California Data Breach Report found
that, in 2012, "17 percent of the data breaches recorded in the
United States took place in California - more than any other
state" and that "the number of reported breaches in California
increased by 28 percent in 2013." (California Department of
Justice, California Data Breach Report (Oct. 2014)
[as of Jul. 2, 2015].) The frequency
of data breaches in California and the threat that such breaches
�
AB 259 (Dababneh)
Page 5 of ?
pose to California residents makes timely and effective
notification of a breach, and the ability to mitigate potential
damages resulting from the breach, matters of critical
importance.
Recent data breaches show that government agencies are just as
vulnerable as businesses and individuals to breaches that expose
the personal information of California residents. In March of
last year, for example, the California Department of Motor
Vehicles reported that its system for processing online credit
card transactions may have been breached, potentially
compromising millions of credit card numbers, expiration dates
and credit card security codes. (See Kate Mather and Carla
Rivera, California DMV Probing Possible Breach of Customer
Credit Cards, Los Angeles Times (Mar. 22, 2014)
[as of Jul. 2, 2015].) More recently, the federal
Office of Personnel Management suffered a massive data breach
that revealed the personal information of an estimated 4 to 18
million federal workers, including many with secret-level
security clearances. (See Adam Elkus, The Devastating Breach of
US Government Data Highlights an Illusory Cybersecurity Paradox,
Business Insider (Jun. 18, 2015)
[as of Jul. 2, 2015].)
When breaches do occur, "it has become increasingly common for
entities experiencing a data breach to offer victims a
mitigation service, such as credit monitoring or a security
freeze." (California Department of Justice, California Data
Breach Report (Oct. 2014) [as
of Jul. 2, 2015].) "Such services can be helpful in cases where
social security numbers or driver's license numbers are
compromised, as they give early notice to individuals when
criminals use their information to open new accounts in their
name." (Id.) Despite the utility of these mitigation services,
the Attorney General's 2014 California Data Breach Report found
that, for the 157 reported breaches involving social security
numbers or driver's license numbers that occurred in 2012 and
2013, "a mitigation service was offered in just 112 of them (71
percent)." The report noted that "[i]n 45 of such breaches (29
percent), no service was offered," and that there was "no
meaningful change from 2012, when no mitigation service was
offered in 29 percent of breaches where it would have been
�
AB 259 (Dababneh)
Page 6 of ?
helpful, to 2013, when no such product was offered in 28 percent
of appropriate breaches." (Id.)
This bill would expand the offering of breach mitigation
services by mandating that state and local agencies offer
affected individuals no less than 12 months of an appropriate
identity theft prevention and mitigation service at no cost when
the agency is the source of a data breach involving both the
individual's first name or first initial and last name and their
social security number, driver's license number, or California
identification card number. Writing in support, the California
School Employees Association, AFL-CIO, states:
Identity theft is becoming a very big problem that has a huge
impact on the lives of those who are victims. Once you are a
victim of identity theft, it is very difficult to resolve
these issues and quite costly and time consuming. AB 259 is
an important step in helping the victims of identity theft to
repair their credit and get their financial lives back in
order . . . Those who are responsible for information breaches
should be required to provide the victims with free identity
theft prevention and mitigation services for, at the very
least, one year. The victim should not have to spend their
own resources, which can be very expensive, to deal with a
problem they did not create.
3.Opposition Concerns
The California Association of Joint Powers Authorities (CAJPA),
writing in opposition, states that AB 259 would impose "unknown
but substantial new costs on local public entities when the
local agency is the source of a data breach." They state:
CAJPA believes AB 259 contains worthwhile goals, but is
impractical from [a] public entity's fiscal viewpoint. Annual
credit monitoring per person costs well over $100 per person
per year depending on the company used. Local government
budgets must already stretch to cover needed, vital services.
CAJPA believes that unless AB 259 is amended to provide the
start up and necessary on-going funding to establish and
maintain such a unit in every local public entity office in
the future, plus cover the costs of providing the credit
monitoring reports, the mandates of this bill cannot be met.
�
AB 259 (Dababneh)
Page 7 of ?
Support : American Federation of State, County, and Municipal
Employees, AFL-CIO; Association of California Life & Health
Insurance Companies; California Association of Collectors;
California Bankers Association; California Business Properties
Association; California Chamber of Commerce; California Credit
Union League; California Grocers Association; California Land
Title Association; California Realtors Association; California
School Employees Association, AFL-CIO; Direct Marketing
Association; Retail Industry Leaders Association
Opposition : California Association of Joint Powers Authorities
HISTORY
Source : Author
Related Pending Legislation :
SB 570 (Jackson, 2015) would require entities that must provide
affected individuals with notice of a data breach to provide
that notice in a specified format. Specifically, this bill
would require these entities to provide a one-page notice, if
written, entitled "Notice of Data Breach," in which the content
required by the Data Breach Notification Law is presented under
the following headings: "What Happened," "What Information Was
Involved," "What We Are Doing," "What You Can Do," and "For More
Information." This bill would state that additional information
may be provided as a supplement to the notice, would clarify the
requirements for providing substitute notice of a data breach,
and would make other technical and clarifying changes. This
bill is pending in the Assembly Privacy and Consumer Protection
Committee.
AB 964 (Chau) would define "encrypted" as used in California's
data breach notification law to mean rendered unusable,
unreadable, or indecipherable to an unauthorized person through
a security technology or methodology generally accepted in the
field of information security.
Prior Legislation :
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
Data Breach Notification Law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
�
AB 259 (Dababneh)
Page 8 of ?
months if the person or business was the source of a data
breach. This bill also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements
included within the definition of personal information under
California's Data Breach Notification Law by adding certain
information that would permit access to an online account, and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1149 (Campos, Ch. 395, Stats. 2013) expanded existing
disclosure requirements concerning breaches of computerized data
owned or licensed by state agencies to "local agencies" as
defined by Government Code Section 6252(a). This bill also made
certain technical corrections to the security breach
notification law.
SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,
person, or business that is required to issue a security breach
notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
�
AB 259 (Dababneh)
Page 9 of ?
procedures.
SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's Data
Breach Notification Law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California's
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
Prior Vote :
Assembly Floor (Ayes 80, Noes 0)
Assembly Appropriations Committee (Ayes 17, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 11,
Noes 0)
**************